IDC Market Glance: SIEM, 3Q19

On-line Presentation

Abstract

This IDC Market Glance provides a view of worldwide SIEM by form factor, region, and vertical market. Traditionally, SIEM platforms have been used to generate compliance reporting, and this is true and an important function today. SIEM has also been used for storage and indexing of packets for investigations; the hope being presently investigated alerts can be tracked for dwell time in a network's environment. Every internet browser session, email, internal server and router transaction, and Active Directory request generates a log. In theory, with the proper amount of time and skill, logs could be reconstructed that they will find when the adversary entered the network, what digital properties were exfiltrated, and what the extrusion path of the adversary was. A fair and lively argument can be made that the intelligent collection of metadata provides an able and cost-effective cyberdefense, but it should be noted that without 100% full-packet capture (PCAP), reconstruction of event timelines with the original artifacts is not possible. Including forensic capabilities, SIEM is the last hope of catching the adversary.

Two key metrics measure the efficacy of a security operation center (SOC): mean time to detect (MTTD) and mean time to respond (MTTR). SIEM is a log-based technology and as such can facilitate both MTTD and MTTR. In 2019, UBA is an important addendum to an overall cybersecurity posture. UBA is both a discrete technology and an essential technology feature set used across multiple technologies such as endpoint detection and response, threat analytics, and SIEM.

These ideas help explain what SIEM has to do from the standpoint of security postures. However, the word security becomes too generic a term. At times, an enterprise (or smaller company) is looking for a specific security tool for a specific use case or for a specific architecture. Some SIEMs are best designed for on-premises use, for manufacturing environments, or address jurisdictional needs on the basis of geo-compliance or data privacy standards.